Analysis Overview
SHA256
55deb19da531e80ad41f3a41a1d9bd0d47ad1d6f9451a599008b388d5c145d84
Threat Level: Known bad
The file 55deb19da531e80ad41f3a41a1d9bd0d47ad1d6f9451a599008b388d5c145d84 was found to be: Known bad.
Malicious Activity Summary
RedLine payload
RedLine
Redline family
SectopRAT
SectopRAT payload
Sectoprat family
Executes dropped EXE
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-04 20:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-04 20:20
Reported
2024-11-04 20:23
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sectoprat family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4336 set thread context of 1444 | N/A | C:\Users\Admin\AppData\Local\Temp\f1293c371b785607051301ef4c0f8bfe0c34421539660c049b580ca9a2456d6e.exe | C:\Users\Admin\AppData\Local\Temp\f1293c371b785607051301ef4c0f8bfe0c34421539660c049b580ca9a2456d6e.exe |
| PID 1032 set thread context of 1756 | N/A | C:\Users\Admin\AppData\Roaming\svchost\svchost.exe | C:\Users\Admin\AppData\Roaming\svchost\svchost.exe |
| PID 1168 set thread context of 4108 | N/A | C:\Users\Admin\AppData\Roaming\svchost\svchost.exe | C:\Users\Admin\AppData\Roaming\svchost\svchost.exe |
| PID 3796 set thread context of 1880 | N/A | C:\Users\Admin\AppData\Roaming\svchost\svchost.exe | C:\Users\Admin\AppData\Roaming\svchost\svchost.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f1293c371b785607051301ef4c0f8bfe0c34421539660c049b580ca9a2456d6e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\svchost\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\svchost\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\svchost\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f1293c371b785607051301ef4c0f8bfe0c34421539660c049b580ca9a2456d6e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\svchost\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\svchost\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\svchost\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f1293c371b785607051301ef4c0f8bfe0c34421539660c049b580ca9a2456d6e.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f1293c371b785607051301ef4c0f8bfe0c34421539660c049b580ca9a2456d6e.exe
"C:\Users\Admin\AppData\Local\Temp\f1293c371b785607051301ef4c0f8bfe0c34421539660c049b580ca9a2456d6e.exe"
C:\Users\Admin\AppData\Local\Temp\f1293c371b785607051301ef4c0f8bfe0c34421539660c049b580ca9a2456d6e.exe
"C:\Users\Admin\AppData\Local\Temp\f1293c371b785607051301ef4c0f8bfe0c34421539660c049b580ca9a2456d6e.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\f1293c371b785607051301ef4c0f8bfe0c34421539660c049b580ca9a2456d6e.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | adm1234.duckdns.org | udp |
| US | 103.89.14.70:20603 | adm1234.duckdns.org | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 103.89.14.70:20603 | adm1234.duckdns.org | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 103.89.14.70:20603 | adm1234.duckdns.org | tcp |
| US | 103.89.14.70:20603 | adm1234.duckdns.org | tcp |
| US | 8.8.8.8:53 | 101.11.19.2.in-addr.arpa | udp |
| US | 103.89.14.70:20603 | adm1234.duckdns.org | tcp |
| US | 103.89.14.70:20603 | adm1234.duckdns.org | tcp |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | adm1234.duckdns.org | udp |
| US | 103.89.14.70:20603 | adm1234.duckdns.org | tcp |
| US | 103.89.14.70:20603 | adm1234.duckdns.org | tcp |
| US | 8.8.8.8:53 | 101.209.201.84.in-addr.arpa | udp |
| US | 103.89.14.70:20603 | adm1234.duckdns.org | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 103.89.14.70:20603 | adm1234.duckdns.org | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 103.89.14.70:20603 | adm1234.duckdns.org | tcp |
| US | 103.89.14.70:20603 | adm1234.duckdns.org | tcp |
| US | 103.89.14.70:20603 | adm1234.duckdns.org | tcp |
| US | 8.8.8.8:53 | adm1234.duckdns.org | udp |
| US | 103.89.14.70:20603 | adm1234.duckdns.org | tcp |
| US | 103.89.14.70:20603 | adm1234.duckdns.org | tcp |
| US | 103.89.14.70:20603 | adm1234.duckdns.org | tcp |
| US | 8.8.8.8:53 | udp |
Files
memory/4336-0-0x000000007483E000-0x000000007483F000-memory.dmp
memory/4336-1-0x0000000000A20000-0x0000000000A44000-memory.dmp
memory/4336-2-0x00000000058F0000-0x0000000005E94000-memory.dmp
memory/4336-3-0x00000000053F0000-0x0000000005456000-memory.dmp
memory/1444-4-0x0000000000400000-0x000000000041E000-memory.dmp
memory/4336-6-0x0000000074830000-0x0000000074FE0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\f1293c371b785607051301ef4c0f8bfe0c34421539660c049b580ca9a2456d6e.exe.log
| MD5 | 4bc94363628f46b343c5e8e2da62ca26 |
| SHA1 | 8a41ac46e24d790e11a407d0e957c4a6be6056c4 |
| SHA256 | c8e1d0b306825b2c9a3ed32a461dd191ceb861205425fdfb687a4889684a3e1a |
| SHA512 | cf8ede5b84ba775d8ff89752530fa899d6b2e6424549202ab782a3caa92c0d9a31e9b2f660b51eedc932a68ba25e9ec228bb965cdc183e600ea8aa5a6736f829 |
memory/4336-8-0x0000000074830000-0x0000000074FE0000-memory.dmp
memory/1444-10-0x0000000074830000-0x0000000074FE0000-memory.dmp
memory/1444-9-0x0000000005550000-0x0000000005B68000-memory.dmp
memory/1444-11-0x0000000004EE0000-0x0000000004EF2000-memory.dmp
memory/1444-12-0x0000000005070000-0x00000000050AC000-memory.dmp
memory/1444-15-0x0000000074830000-0x0000000074FE0000-memory.dmp
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
| MD5 | b63f8266a958beb581b25b95a6b54040 |
| SHA1 | fb1193a13211cc4677e41417addf4f8fc3de9049 |
| SHA256 | f1293c371b785607051301ef4c0f8bfe0c34421539660c049b580ca9a2456d6e |
| SHA512 | d8525b12347c9fea9320134f672ff3e40d1bd091a2cd004ac06c11236da9a43de0e1e657711bd06e01dc49d9f0b8c8f3ea8ff6869a2cd4e3a09a6866ebd30821 |
memory/1444-16-0x00000000050B0000-0x00000000050FC000-memory.dmp
memory/1444-19-0x00000000052F0000-0x00000000053FA000-memory.dmp
memory/1444-24-0x0000000074830000-0x0000000074FE0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-04 20:20
Reported
2024-11-04 20:23
Platform
win7-20240903-en
Max time kernel
137s
Max time network
148s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 576 set thread context of 2504 | N/A | C:\Users\Admin\AppData\Local\Temp\f1293c371b785607051301ef4c0f8bfe0c34421539660c049b580ca9a2456d6e.exe | C:\Users\Admin\AppData\Local\Temp\f1293c371b785607051301ef4c0f8bfe0c34421539660c049b580ca9a2456d6e.exe |
| PID 2776 set thread context of 2044 | N/A | C:\Users\Admin\AppData\Roaming\svchost\svchost.exe | C:\Users\Admin\AppData\Roaming\svchost\svchost.exe |
| PID 2220 set thread context of 1256 | N/A | C:\Users\Admin\AppData\Roaming\svchost\svchost.exe | C:\Users\Admin\AppData\Roaming\svchost\svchost.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\svchost\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\svchost\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\svchost\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f1293c371b785607051301ef4c0f8bfe0c34421539660c049b580ca9a2456d6e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\svchost\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f1293c371b785607051301ef4c0f8bfe0c34421539660c049b580ca9a2456d6e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f1293c371b785607051301ef4c0f8bfe0c34421539660c049b580ca9a2456d6e.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f1293c371b785607051301ef4c0f8bfe0c34421539660c049b580ca9a2456d6e.exe
"C:\Users\Admin\AppData\Local\Temp\f1293c371b785607051301ef4c0f8bfe0c34421539660c049b580ca9a2456d6e.exe"
C:\Users\Admin\AppData\Local\Temp\f1293c371b785607051301ef4c0f8bfe0c34421539660c049b580ca9a2456d6e.exe
"C:\Users\Admin\AppData\Local\Temp\f1293c371b785607051301ef4c0f8bfe0c34421539660c049b580ca9a2456d6e.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\f1293c371b785607051301ef4c0f8bfe0c34421539660c049b580ca9a2456d6e.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
C:\Windows\system32\taskeng.exe
taskeng.exe {3B64C6F0-C46D-45A0-B7B6-567CD3F70E60} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | adm1234.duckdns.org | udp |
| US | 103.89.14.70:20603 | adm1234.duckdns.org | tcp |
| US | 103.89.14.70:20603 | adm1234.duckdns.org | tcp |
| US | 103.89.14.70:20603 | adm1234.duckdns.org | tcp |
| US | 8.8.8.8:53 | adm1234.duckdns.org | udp |
| US | 103.89.14.70:20603 | adm1234.duckdns.org | tcp |
| US | 103.89.14.70:20603 | adm1234.duckdns.org | tcp |
| US | 103.89.14.70:20603 | adm1234.duckdns.org | tcp |
| US | 103.89.14.70:20603 | adm1234.duckdns.org | tcp |
| US | 103.89.14.70:20603 | adm1234.duckdns.org | tcp |
| US | 8.8.8.8:53 | adm1234.duckdns.org | udp |
| US | 103.89.14.70:20603 | adm1234.duckdns.org | tcp |
| US | 103.89.14.70:20603 | adm1234.duckdns.org | tcp |
Files
memory/576-0-0x0000000074CBE000-0x0000000074CBF000-memory.dmp
memory/576-1-0x0000000000C90000-0x0000000000CB4000-memory.dmp
memory/2504-2-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2504-6-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2504-10-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2504-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2504-3-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2504-4-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2504-14-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2504-12-0x0000000000400000-0x000000000041E000-memory.dmp
memory/576-17-0x0000000074CB0000-0x000000007539E000-memory.dmp
memory/2504-18-0x0000000074CB0000-0x000000007539E000-memory.dmp
memory/2504-19-0x0000000074CB0000-0x000000007539E000-memory.dmp
memory/576-20-0x0000000074CB0000-0x000000007539E000-memory.dmp
memory/2504-21-0x0000000074CB0000-0x000000007539E000-memory.dmp
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
| MD5 | b63f8266a958beb581b25b95a6b54040 |
| SHA1 | fb1193a13211cc4677e41417addf4f8fc3de9049 |
| SHA256 | f1293c371b785607051301ef4c0f8bfe0c34421539660c049b580ca9a2456d6e |
| SHA512 | d8525b12347c9fea9320134f672ff3e40d1bd091a2cd004ac06c11236da9a43de0e1e657711bd06e01dc49d9f0b8c8f3ea8ff6869a2cd4e3a09a6866ebd30821 |
memory/2776-24-0x00000000010B0000-0x00000000010D4000-memory.dmp
memory/2044-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2044-40-0x0000000000080000-0x000000000009E000-memory.dmp
memory/2044-43-0x0000000000080000-0x000000000009E000-memory.dmp
memory/2044-37-0x0000000000080000-0x000000000009E000-memory.dmp
memory/1256-53-0x000000007EFDE000-0x000000007EFDF000-memory.dmp